ec65a453de3220946b4fdad9b8bec324.ppt
- Количество слайдов: 28
Chapter 14: System Protection Operating System Concepts– 9 th Edition Silberschatz, Galvin and Gagne © 2013
Chapter 14: System Protection n Goals of Protection n Principles of Protection n Domain of Protection n Access Matrix n Implementation of Access Matrix n Access Control n Revocation of Access Rights n Capability-Based Systems n Language-Based Protection Operating System Concepts – 9 th Edition 14. 2 Silberschatz, Galvin and Gagne © 2013
Objectives n Discuss the goals and principles of protection in a modern computer system n Explain how protection domains combined with an access matrix are used to specify the resources a process may access n Examine capability and language-based protection systems Operating System Concepts – 9 th Edition 14. 3 Silberschatz, Galvin and Gagne © 2013
Goals of Protection n In one protection model, computer consists of a collection of objects, hardware or software n Each object has a unique name and can be accessed through a well-defined set of operations n Protection problem - ensure that each object is accessed correctly and only by those processes that are allowed to do so Operating System Concepts – 9 th Edition 14. 4 Silberschatz, Galvin and Gagne © 2013
Principles of Protection n Guiding principle – principle of least privilege l l Limits damage if entity has a bug, gets abused l Can be static (during life of system, during life of process) l Or dynamic (changed by process as needed) – domain switching, privilege escalation l n Programs, users and systems should be given just enough privileges to perform their tasks “Need to know” a similar concept regarding access to data Must consider “grain” aspect l Rough-grained privilege management easier, simpler, but least privilege now done in large chunks 4 l Fine-grained management more complex, more overhead, but more protective 4 n For example, traditional Unix processes either have abilities of the associated user, or of root File ACL lists, RBAC Domain can be user, process, procedure Operating System Concepts – 9 th Edition 14. 5 Silberschatz, Galvin and Gagne © 2013
Domain Structure n Access-right =
Domain Implementation (UNIX) n Domain = user-id n Domain switch accomplished via file system 4 Each file has associated with it a domain bit (setuid bit) 4 When file is executed and setuid = on, then user-id is set to owner of the file being executed 4 n Domain switch accomplished via passwords l n When execution completes user-id is reset su command temporarily switches to another user’s domain when other domain’s password provided Domain switching via commands l sudo command prefix executes specified command in another domain (if original domain has privilege or password given) Operating System Concepts – 9 th Edition 14. 7 Silberschatz, Galvin and Gagne © 2013
Domain Implementation (MULTICS) n Let Di and Dj be any two domain rings n If j < I Di Dj Operating System Concepts – 9 th Edition 14. 8 Silberschatz, Galvin and Gagne © 2013
Multics Benefits and Limits n Ring / hierarchical structure provided more than the basic kernel / user or root / normal user design n Fairly complex -> more overhead n But does not allow strict need-to-know l Object accessible in Dj but not in Di, then j must be < i l But then every segment accessible in Di also accessible in Dj Operating System Concepts – 9 th Edition 14. 9 Silberschatz, Galvin and Gagne © 2013
Access Matrix n View protection as a matrix (access matrix) n Rows represent domains n Columns represent objects n Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj Operating System Concepts – 9 th Edition 14. 10 Silberschatz, Galvin and Gagne © 2013
Access Matrix Operating System Concepts – 9 th Edition 14. 11 Silberschatz, Galvin and Gagne © 2013
Use of Access Matrix n If a process in Domain Di tries to do “op” on object Oj, then “op” must be in the access matrix n User who creates object can define access column for that object n Can be expanded to dynamic protection l Operations to add, delete access rights l Special access rights: 4 owner of Oi 4 copy op from Oi to Oj (denoted by “*”) 4 control – Di can modify Dj access rights 4 transfer – switch from domain Di to Dj l Copy and Owner applicable to an object l Control applicable to domain object Operating System Concepts – 9 th Edition 14. 12 Silberschatz, Galvin and Gagne © 2013
Use of Access Matrix (Cont. ) n Access matrix design separates mechanism from policy l Mechanism 4 4 l Operating system provides access-matrix + rules If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced Policy 4 4 n User dictates policy Who can access what object and in what mode But doesn’t solve the general confinement problem Operating System Concepts – 9 th Edition 14. 13 Silberschatz, Galvin and Gagne © 2013
Access Matrix of Figure A with Domains as Objects Operating System Concepts – 9 th Edition 14. 14 Silberschatz, Galvin and Gagne © 2013
Access Matrix with Copy Rights Operating System Concepts – 9 th Edition 14. 15 Silberschatz, Galvin and Gagne © 2013
Access Matrix With Owner Rights Operating System Concepts – 9 th Edition 14. 16 Silberschatz, Galvin and Gagne © 2013
Modified Access Matrix of Figure B Operating System Concepts – 9 th Edition 14. 17 Silberschatz, Galvin and Gagne © 2013
Implementation of Access Matrix n Generally, a sparse matrix n Option 1 – Global table l Store ordered triples < domain, object, rights-set > in table l A requested operation M on object Oj within domain Di -> search table for < Di, Oj, Rk > 4 with M ∈ Rk l But table could be large -> won’t fit in main memory l Difficult to group objects (consider an object that all domains can read) n Option 2 – Access lists for objects l l l Each column implemented as an access list for one object Resulting per-object list consists of ordered pairs < domain, rights-set > defining all domains with non-empty set of access rights for the object Easily extended to contain default set -> If M ∈ default set, also allow access Operating System Concepts – 9 th Edition 14. 18 Silberschatz, Galvin and Gagne © 2013
n Each column = Access-control list for one object Defines who can perform what operation Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read n Each Row = Capability List (like a key) For each domain, what operations allowed on what objects Object F 1 – Read Object F 4 – Read, Write, Execute Object F 5 – Read, Write, Delete, Copy Operating System Concepts – 9 th Edition 14. 19 Silberschatz, Galvin and Gagne © 2013
Implementation of Access Matrix (Cont. ) n Option 3 – Capability list for domains l Instead of object-based, list is domain based l Capability list for domain is list of objects together with operations allows on them l Object represented by its name or address, called a capability l Execute operation M on object Oj, process requests operation and specifies capability as parameter 4 l Possession of capability means access is allowed Capability list associated with domain but never directly accessible by domain 4 4 Like a “secure pointer” 4 n Rather, protected object, maintained by OS and accessed indirectly Idea can be extended up to applications Option 4 – Lock-key l Compromise between access lists and capability lists l Each object has list of unique bit patterns, called locks l Each domain as list of unique bit patterns called keys l Process in a domain can only access object if domain has key that matches one of the locks Operating System Concepts – 9 th Edition 14. 20 Silberschatz, Galvin and Gagne © 2013
Comparison of Implementations n Many trade-offs to consider l Global table is simple, but can be large l Access lists correspond to needs of users 4 Determining set of access rights for domain non-localized so difficult 4 Every access to an object must be checked – l Capability lists useful for localizing information for a given process 4 l n Many objects and access rights -> slow But revocation capabilities can be inefficient Lock-key effective and flexible, keys can be passed freely from domain to domain, easy revocation Most systems use combination of access lists and capabilities l First access to an object -> access list searched 4 If allowed, capability created and attached to process – Additional accesses need not be checked 4 After last access, capability destroyed 4 Consider file system with ACLs per file Operating System Concepts – 9 th Edition 14. 21 Silberschatz, Galvin and Gagne © 2013
Access Control n Protection can be applied to non-file resources n Solaris 10 provides role-based access control (RBAC) to implement least privilege l Privilege is right to execute system call or use an option within a system call l Can be assigned to processes l Users assigned roles granting access to privileges and programs 4 l Enable role via password to gain its privileges Similar to access matrix Operating System Concepts – 9 th Edition 14. 22 Silberschatz, Galvin and Gagne © 2013
Role-based Access Control in Solaris 10 Operating System Concepts – 9 th Edition 14. 23 Silberschatz, Galvin and Gagne © 2013
Revocation of Access Rights n Various options to remove the access right of a domain to an object l l Selective vs. general l Partial vs. total l n Immediate vs. delayed Temporary vs. permanent Access List – Delete access rights from access list l l n Simple – search access list and remove entry Immediate, general or selective, total or partial, permanent or temporary Capability List – Scheme required to locate capability in the system before capability can be revoked l Reacquisition – periodic delete, with require and denial if revoked l Back-pointers – set of pointers from each object to all capabilities of that object (Multics) l Indirection – capability points to global table entry which points to object – delete entry from global table, not selective (CAL) l Keys – unique bits associated with capability, generated when capability created 4 Master key associated with object, key matches master key for access 4 Revocation – create new master key 4 Policy decision of who can create and modify keys – object owner or others? Operating System Concepts – 9 th Edition 14. 24 Silberschatz, Galvin and Gagne © 2013
Capability-Based Systems n Hydra l Fixed set of access rights known to and interpreted by the system 4 i. e. read, write, or execute each memory segment 4 User can declare other auxiliary rights and register those with protection system 4 Accessing process must hold capability and know name of operation 4 Rights amplification allowed by trustworthy procedures for a specific type l l Operations on objects defined procedurally – procedures are objects accessed indirectly by capabilities l Solves the problem of mutually suspicious subsystems l n Interpretation of user-defined rights performed solely by user's program; system provides access protection for use of these rights Includes library of prewritten security routines Cambridge CAP System l Simpler but powerful l Data capability - provides standard read, write, execute of individual storage segments associated with object – implemented in microcode l Software capability -interpretation left to the subsystem, through its protected procedures 4 Only has access to its own subsystem 4 Programmers must learn principles and techniques of protection Operating System Concepts – 9 th Edition 14. 25 Silberschatz, Galvin and Gagne © 2013
Language-Based Protection n Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources n Language implementation can provide software for protection enforcement when automatic hardwaresupported checking is unavailable n Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system Operating System Concepts – 9 th Edition 14. 26 Silberschatz, Galvin and Gagne © 2013
Protection in Java 2 n Protection is handled by the Java Virtual Machine (JVM) n A class is assigned a protection domain when it is loaded by the JVM n The protection domain indicates what operations the class can (and cannot) perform n If a library method is invoked that performs a privileged operation, the stack is inspected to ensure the operation can be performed by the library Operating System Concepts – 9 th Edition 14. 27 Silberschatz, Galvin and Gagne © 2013
Stack Inspection Operating System Concepts – 9 th Edition 14. 28 Silberschatz, Galvin and Gagne © 2013